Discord admits customer data theft after third-party security breach
The personal data of Discord users has been exposed after a third-party customer service provider suffered a data breach.
Hackers were able to obtain support tickets from an unnamed company used by Discord to provide support. From this, they were then able to gain access to data including names and government-issued IDs.
The incident took place back on September 20, and Discord says that it acted quickly to get things under control. While the number of users affected by the attacks has not been revealed, Discord is downplaying the impact by saying that only “a limited number of users” are affected. Those who data was access are customers who have used Discord’s customer support and/or Trust and Safety teams
In a statement about the incident, Discord says:
At Discord, protecting the privacy and security of our users is a top priority. That’s why it’s important to us that we’re transparent with them about events that impact their personal information.
Recently, we discovered an incident where an unauthorized party compromised one of Discord’s third-party customer service providers. The unauthorized party then gained access to information from a limited number of users who had contacted Discord through our Customer Support and/or Trust & Safety teams.
As soon as we became aware of this attack, we took immediate steps to address the situation. This included revoking the customer support provider’s access to our ticketing system, launching an internal investigation, engaging a leading computer forensics firm to support our investigation and remediation efforts, and engaging law enforcement.
We are in the process of contacting impacted users. If you were impacted, you will receive an email from [email protected]. We will not contact you about this incident via phone – official Discord communications channels are limited to emails from [email protected].
Although it is yet to be confirmed, the Scattered Lapsus$ Hunters (SLH) threat group has claimed responsibility for the attack.
Full details of what happened have not been revealed, but Discord has said a little about the type of data involved in the incident:
The data that may have been impacted was related to our customer service system. This may include:
- Name, Discord username, email and other contact details if provided to Discord customer support
- Limited billing information such as payment type, the last four digits of your credit card, and purchase history if associated with your account
- IP addresses
- Messages with our customer service agents
- Limited corporate data (training materials, internal presentations)
The unauthorized party also gained access to a small number of government‑ID images (e.g., driver’s license, passport) from users who had appealed an age determination. If your ID may have been accessed, that will be specified in the email you receive.
The company goes on to say:
What are we doing about this?
Discord has and will continue to take all appropriate steps in response to this situation. As standard, we will continue to frequently audit our third-party systems to ensure they meet our security and privacy standards. In addition, we have:
- Notified relevant data protection authorities.
- Proactively engaged with law enforcement to investigate this attack.
- Reviewed our threat detection systems and security controls for third-party support providers.
Taking next steps
Looking ahead, we recommend impacted users stay alert when receiving messages or other communication that may seem suspicious. We have service agents on hand to answer questions and provide additional support.
We take our responsibility to protect your personal data seriously and understand the inconvenience and concern this may cause.
Discord stresses that Full credit card numbers and CCV codes were not among the data accessed by hackers.